Tuesday 7 December 2021

Bullit / Bluroc Hero 250 - Ownership review

 


I’ve owned the Bullit/Bluroc Hero 250 for over 8 months and buying it completely blind, never having seen one or even sat on one in the flesh, possibly gives me the right to offer a fairly unbiased review and ownership feedback on this little retro scrambler. 

I bought this bike based solely on one thing.  The styling.  Not the price, not the reviews, not because I had to (I don’t sell bikes for a living or sell anything for a living thank god).  Just pure vanity - how it looked.  I didn’t want an air-cooled underpowered 125, so I waited.

In late 2020, Mooof NV (Bullit/Bluroc brand owner) ordered from  the Chinese manufacturer Jinan Dalong, who assemble the 250cc variant of the Hero.  In the 3rd lockdown of the Coronavirus pandemic, I watched ‘motors for the masses’ YouTube video, decided £4k was acceptable enough and ordered one. 


I’ve never heard of them

Many people ask me about the bike.  What is it, who made it, who are/were Bullit?  I reply with as much as I know, but I have to explain the bike is pretty much a Chinese sourced catalogue item.  It’s even less recognisable now, that the Bullit name was changed to Bluroc, due to a legal issue with the name (apparently with Royal Enfield). 

Despite the Internet stating Bullit’s Belgian roots, I can find no true evidence it was actually designed there.  Stepping back to the 125, you can even buy the bikes from Alibaba in bulk!  So I’m not sure how much ‘designing’ was done at all, from our European friends.


You might get the odd person saying, “that looks the same as a Herald Maverick” – or possibly on the continent, a VerveMoto tracker and they’d be right.  There are other OEM renames for the bikes from Shandong Pioneer who are owned by QinGQi group who own Jinan Dalong as well!


The frame is nearly identical to the Sinnis apache and Pulse adrenalin, but I have been unable to compare side by side of course.  Mash also have their bikes produced by the same firm.  Do you care though?  I guess you do, but maybe not as much as me, who has the thing sat in the garage.

Mooof NV are the importers, distributors and brand owners of Bullit – along with a few other names, so that’s the Belgian bit, but the design is still open to question.  In the service manual, Mooof display that they own the registration, they also own the website (check the T&C’s) but the actual user manual is littered with grammatical errors akin to any mass produced Asian sourced bargain item, rather than polished English as found in Mooof’s service booklet that came with the bike.  I didn’t get a user manual by the way, but was sent a PDF a week or so later.


Specification

I will refrain from quoting the specifications of the bike, purely as they are documented on the aforementioned youtube video, but also from countless printed (Internet published) reviews.

It’s the same as the 125

You’ll be thinking immediately, that the bike is ‘the same as the 125’ and you wouldn’t be too far wrong, from 20 yards.  Obviously the frame is different, but the wheels, tyres, lights etc are all from the same parts bin.  The bike was constructed by a mass vehicle manufacturer and it is to be expected that in re-inventing the wheel wouldn’t make good wholesale business sense.

There are ‘some’ differences though, aside the engine.  Little things such as the clutch cable, speedo cable and obvious wiring.  Subtly, In the case of the speedo cable, the internal and outer length are the same as the 125.  Yet the 250 has pressed ‘kinks’ into the unions – which suggest it was an item that has been considered and revised.  However the clutch ‘adaptation’ is poorly executed as you will discover.

Speedo cable slightly different on the 250 than the 125

Here are some quick highlights that you can ‘big up’ to interested parties:

  • ·         The styling, it’s really in a world of its own to be honest. Prepare for many questions about it.
  • ·         Value – at £4,000 (+ a little extra to get it on the road) it is good value for a bike with 2 years warranty and looks as good as it does.
  • ·         It is light.  143kg wet is quoted, but after changing the tyres and removing the pillion parts, you can improve it a smidge.
  • ·         It has a decent turn in and change of direction.  It can be quite confidence inspiring in medium speed turns (not on standard tyres though).  Because of its light weight, it is nibble in the slow speed handling circuits (enacting motojitsu for example)
  • ·         OBD output is decent – hopefully you won’t need to look in there though
  • ·         Nothing looks overly complicated to replace or fix.  The China parts bin means you find most of the components used to build the bike on Ali-express!  (E.G the radiator – a split piece unit that costs £50).
  • ·         It’s pretty nippy and can easily keep with traffic.  Even dual carriageway use.
  • ·         It is quite frugal on petrol
  • ·         It sounds as good as it looks.  The exhaust is just a slightly different revision of the much praised 125 soundtrack.
  • ·         ABS and LED lights – add the ‘modern’ part to this neo-retro machine.
  • ·         The leavers are adjustable and I found no need for ‘shorty’ versions.

The 250cc engine

The engine is a 2018 designed 172MM-2. Built by CF-Moto and is the same as used in their NK 250 and SR 250 models. They sold well in Asia and received mostly positive reviews.  Despite having the Bullit name written on the side, the coil pack still has CF Moto’s branding and part code clearly visible.  Interestingly, the 250 uses a Bosch MAP sensor, so that was a welcome surprise finding a branded item rather than an unknown important component, but the TPS and inlet air temp sensor I couldn’t track down to reputable manufacturers.

 

In terms of branding, CF-Moto are the Chinese partner of the KTM’s design house Kiska.   There is partial evidence to suggest that the engine is derived from the older KTM models sold in Asian nations, but I can’t find exact text to prove or disprove this.

The space left in the frame by the engine placement hints that maybe something with bigger displacement might have sat better – or maybe this will be a future adaptation.  It doesn’t look out of place, just that it could have been bigger if it had to be.

The engine is rattily at low RPM in a high gear and causes the bike to vibrate the front mud guard quite violently.  There is enough torque to set off in second if you’re not sure what gear you are in – the speedo won’t tell you either (having only a neutral indicator).

At high RPM it is evident the single cylinder is not happy and you can feel its anger by gripping the tank with your knees.  At the top end of the rev range, to be expected is just more noise and no useable power.  It is not an engine to run on the ragged edge by any means.

The engine’s sweet spot though is a decent torque curve for such a small displacement bike.  It is readily useable from  2nd gear.  Obtaining 70mph is achievable quite easily and it has no problems holding the speed either. Given enough time, you might hit 80.  Just don’t rely on the speedometer to tell you, you’re doing this pace. 

The single, likes being in the mid-range and it even likes a blip on the downshift – something I didn’t think single cylinder bikes were overtly happy with.

The horsepower is enough to enjoy the bike for what it is.  It’s quick enough to keep up with traffic and not slow enough to bore you when green laning.  I’d use it cautiously for long stints on motorways, where really this engine and bike combination isn’t suited at all.  It likes twisty back roads, the occasional squirt off the beat and track and hovering around 60mph on B-roads.

Gearbox

It is a surprisingly comfortable gear change.  Clutchless shifting at higher gears can be difficult, but getting up to 4th, without the clutch is a doddle.  Depending on the bike’s use, it might be advisable to look at re-sizing the sprocket(s) to suit your need.  For my application, the bike will sit between 30 and 60mph so is fine as it is.  More motorway action though, would definitely have me considering sprocket options.  It can feel that it needs longer gearing when at the dizzy heights of motorway speeds.  Switching to a 520-39 rear sprocket, may help the bike at the top-end (it has a 520-43 normally).  I’d hazard a guess, the front sprocket would be easier to source though.

Exhaust

The supertrapp style exhaust was a real party piece of the 125 and it’s carried across to the 250.  It makes the bike sound a bit bigger than it is, but offers a great tone through the lower rev range.  On the overrun, the bike pops, which you can also influence by slightly advancing the throttle whilst engine braking – not enough to re-engage momentum – just ease the throttle back in the dead zone and hear it pop as you slow down.  It’s a great quirk, especially if you rev-match the downshifts as well. 

Suspension

I like a bike that is setup, so it doesn’t pitch under heavy front braking and straight away the Bullit from the factory or the builder/dealer is setup ideal for me.  Granted, there isn’t much engine braking on something like this, but what there is, doesn’t compress the front end much at all.  I find the ride very compliant on the road, however even light off-road is a bit of a bone shaker.  Obviously I’ve got the bike setup for how I use it (road riding) but it does have front adjustable pre-load on the USD’s which is great.

The rear shock has been branded ‘fastec’ on some reviews.  Unfortunately the British firm haven’t had anything to do with it, as far as I can tell – other than, they are Bullit resellers I believe (checking their instagram account).  Whilst they make niche suspension components, the Bullit rear shock is actually a ‘fastace’ unsurprisingly from China.  The model is a BFA02AR, with pre-load and rebound adjustment in 18 phases.  The adjustability using a c-spanner (not included with the bike sadly) offers a great range and plenty of customisation for the owner.  I set the static sag a few months after ownership, but it hardly needed doing.

You sit quite tall on the bike, which I really like.  It's taller than an XSR 700 and MT 07.  Short riders may not feel the same (under 5 foot 9).

The seat is comfortable, but I have a feeling it will start to droop in a couple of years (only a prediction).  As I tend to feel I am sat quite far forward and the shape and placement of the seat tends to push you towards the tank.  It's not uncomfortable or anything, just that I can foresee the front part of the seat padding getting worn, were as further back, it won't be.  I've ridden straight for over 2 hours on it and I wasn't struggling to get on or off!

Height vs an MT 07

What you should do, if you get one

This is obviously based on my own opinions, but I find it would enhance your ownership experience of the machine.

Primarily, I would keep this bike dry stored and used in fair weather.  The main reason being, is the electrical issues on the 125 model.  Obviously I can’t say how the 250 will fair, stored outside or used all year round, as this is a second bike for me.

One thing I would recommend is a shoe guard.  Oxford do one for £7.99 from J&S and it will save your left boot.  The shift peg is machined with a cross-hatch pattern that makes it quite coarse.  Immediately this will start to mark and wear any fabric when upshifting.



Tyres

The stock tyres are Kingstone and made from Nylon.  The knobbles are unwelcome unless you plan on using this bike for more than 50% of its life off-road.   When they are brand new, take care to scrub them in gently.  The showroom gloss is lethal.  Even when they are scrubbed, it is unlikely to give you much confidence in the change of direction.  At slow speeds you can obviously feel the tread blocks move, in effect almost countersteering for you.  At high speed, this converts into vibrations.  If it rains when you are out – then just consider getting off and pushing it home.  It’s not to say they are bad tyres, they’re perfectly fine for mild off-road as the bike was styled, but if you were using it for that purpose you’d have a more thoroughbred machine than this, surely?

To not detract from the overall look of the bike, consider a good compromise or halfway house tyre, such as the Scorpion, Anakee or trailrider by the big manufacturers.

I’ve not seen anyone run a true road tyre on this type of bike.  That would possibly make it look a bit retro scrambler x-moto or something – an entirely new category all its own!

Either way, don’t go wider than a 130 rear – or you won’t clear the chain.


Stock tyres lasted all of 15 miles, before I got too scared to use them!

Clutch cable

The standard clutch cable is routed to avoid the exhaust by use of a pressed angle join.  This is just aft of the pivot arm on the side of the engine.  The issue, is that the angle of the arm, tightens the clutch cable route and after an hour of riding, you’ll have forearm pump on your left side!  Obtain a replacement without the angle and route the cable yourself.  It’ll pay dividends.  Thanks to Pete English on the facebook owners group for the recommendation.  A new cable is less than £20 and easy to replace.


'Before' photo of the clutch cable, with the new one in place, to the right

Stickers

Not even the most brazen of riders fancy turning up at a bike meet, with the term ‘hero’ printed on the side, even if it is the name of the bike.  Removing them and adding your favourite riders number or numbers of personal significance would be less brash.

It’s also pretty clear (barring the Gulf 125 variant) that the colour schemes are Martini & John Player special – so maybe pay homage to that and decorate it as such.


The Hero logo was too much for me, so had some printed!

Get an OBD device that can read live data

The reasons for this are twofold.  When you need to know what’s wrong, you will have half and idea and also that you could possibly fix the problem yourself instead of having to try rely on the dealer.  The dealer/support network for these bikes is a separately discussed item.

Use the OBD when the bike works fine – note the values output by the ECU in a variety of situations (open throttle, cold idle, warm idle) and data log if you can.  When the bike is broken, you can compare the data.  Obviously the OBD can be used for code reading as well.  Being OBD compliant under Euro 4 regulations, the output is quite considerable, given the minimal components on this bike.


A Bluetooth OBD device hidden under the seat

 

Secure the front mud guard

Double check the front mud guard, isn’t going to rattle against the stands that hold it on.  It will wear away the paint if left unattended.  The guard isn’t the most secure of items and its mounts aren’t thick enough to account for flex or vibrations.  I used some thick double-sided door seal tape, to at least limit the embarrassment when I set off in a high gear by mistake.


Listen for rattles and protect the front mud guard if you hear any

Check  your coolant reservoir straw

Even if your bike is new – check this.  Undo the pipe from the radiator cap (when cold) and take out the reservoir cap with straw attached. Ensure it has a hole in the bottom.  Otherwise the reservoir is useless.  Mine was still sealed and coolant pressure found another weak point and was spitting out of the hose joins.


Unscrew the reservoir cap and check the straw

Shorten the stand

The side stand is ridiculously high.  So tall, in fact, a stiff breeze could probably topple the bike – it sits that upright!  You’ll need to remove it, cut off no more than half an inch, then re-weld the footplate.  Obviously not a job for everyone – but a fabricators would likely do this for you, for the price of a pint or two.

 

Loctite

The exhaust heat shield has a habit of unwinding it’s bolts.  Get some Loctite on them. They do go through heat cycles, so without that, it's inevitable, despite a strong torque value.


Another bolt, bites the dust (happened twice before I learnt loctite is my friend)

The not so good bits

Even considering the things that I’d suggest you remedy, there are a few negatives that you’ll have to live with.

 

·         The odometer.  It’s obviously catering for the European market, but MPH is difficult to read (in a smaller font).  It also isn’t accurate.  The technology – using a cable speedo drive – is nearly 100 years old, is fine – so by now, us humans should have it as someway accurate, unfotunately not.  I’ve used 3 other methods to determine speed and they were all within 1mph of each other, yet the speedo at 30mph was already 3mph off.  At 60mph the speedo was 5mph off.

 

Want to keep the mileage down?  Just disconnect it!  Told ya, it really is old tech.  The strange thing is, the bike has ABS, which would be a far better way to read the speed – but alas, this is not output from the ECU to the binnacle.  If you look behind the starter, you can see a speed sensor as well!  But yet, we don’t get to use it.  If I was making the V2 of this bike, I’d change the speedo to accept the outputs and remove the old speedo cable nonsense.


·         The odometer/binnacle.  I sound like a stuck record, but it is useless.  The only thing of use is the neutral light indicator and even that is hard to see at times.  The dial isn’t angled, so it just gets direct sunlight on it, making any warning lights difficult to see, even when illuminated.  You need complete and utter darkness for the backlight to help as well.  Even when it does illuminate, it’s an odd blue colour – not in keeping with anything on the bike, unless you got the Martini flavour. 


·         The fuel level.  The technology for this is nearly as old as the speedo drive, but it isn’t perfected either.  The petrol light will illuminate on/off when the bike is making start/stop motions with a ‘medium-to-low’ amount of fuel on-board.  It can get very distracting and also it is overly cautious. The ECU needs to account for fluctuations and smooth out the readings, rather than being immediately reactive.  It is annoying. 

        Because your bike looks retro means, you need to revert to the Steve McQueen method of checking the level as well, as there is no gauge.  You will look cool though.


·         The fuel cap.  Has a poor latch mechanism, that requires you to push down the fuel cap, before it will release the key.  Be careful not to snap the key in the thing, trying to get it back on!


·         The side stand is ridiculously high, but I’ve covered that.


·         Other bits (summarised, so I don’t kill you via bullet points) such as the headlight switch is far too easy to flip onto full beam (again you will struggle to notice on the speedo/binnacle that you’ve done it). There are lots of cable ties. Build quality of decorative items such as number roundels, is cheap and flimsy. Some of the bolts are far too easy to snap and shear. The rear pillion bolts have snapped when removing - and I'm not Neanderthal using cheap tools or anything!


·         The loom was trapped too tight under the seat and had rubbed the protective sheath through.


·         The PDI inspection or quality control isn’t great.  The rear indicator fixing mount (metal) was bent so badly, the indicator was off at an angle.  This was obviously done before the plastic indicator was attached (otherwise that would have snapped easily) yet it wasn’t rectified at build.

Bent indicator bracket, was obviously there when it was built

Loom rubbed through, it was too tight and rubbing under the seat
 

Servicing

 After only 500km, the bike requires an oil change.  From then on, it’s every 1500km.  It is easy to do yourself and is not expensive.  The oil filter is again an ‘ali-express’ item costing £11 delivered but is also available from Quadzilla for a little more.  Taking only 1.4L of oil per service means you can have it all done and dusted for under £40.

 The oil filling location is completely insane, being directly underneath the exhaust. Of which it can’t clear, without removal of the heat shield.  Be careful not the cross-thread the plastic oil fil cap.  Make sure the exhaust has cooled enough as well – to prevent melting the cap and also your hand!

Once you’ve done it a few times – it’ll be second nature.

 Dealer network

 Obviously the established big motorbike brands have a proven dealer network and the issue for ‘another’ budget manufacturer is how to retail and provide after-care when they have no presence in the country.  The idea is genius in principle – use smaller independent bike retailers, service centres and even driving schools to take care of it.  It should offer some ‘local’ connection to the buyers and tap into the existing loyalties of their customer base – whom rarely stray from their guardians advice.

In execution, however the situation is unproven.  Whilst I haven’t had my own issues with a Bullit retailer/dealer – there are many on the social media groups, that have.  Stories of businesses going bust, struggling to locate the source of problems and obtaining parts to rule things in or out.

Warranty related issues being pursued via a ‘big’ bike retailer will have tried and tested processes, but it’s very much a bespoke situation here.  How tried and tested a 2 year warranty would be, is not something I’d like to test.  Especially if it was so bad, as to reject a bike.  Check the owner feedback on social media and draw your own conclusion from their conclusions, but in reality pay the deposit or value on a credit card and use Section 75 cover to help you (Google it).

 Talking about the dealer network in its infancy, the brand name also wasn’t well established before the legal hiccup forced they rebranded from Bullit to Bluroc.  You could say, it makes the Bullit models slightly more desirable?  Or I could just be saying that to improve the resale value!  It does show some immaturity in the brand though and another ‘issue’ with how quickly smaller bike brands can be here one minute and not, the next.

 You’ve not actually said if you like it

All the negative elements to one side, I’ve landed on my feet (with a dose of luck) with a bike that I actually like.  Lets face it, you’ll 90% be buying this, because it looks cool, despite the negatives I’ve listed above.

It was a gamble ordering one – having never seen or ridden one, nor the 125 version but it has paid off so far.  24 months into ownership, I might have a different opinion.  I can easily pick fault in the bike – it’s human nature, to focus on them as well.  But even writing them out here hasn’t damped my enthusiasm to go grab the key and use the last few hours of daylight.

It nips down the b-roads, snakes in and out of traffic with ease and has enough power for its chassis. This provides me with all the tools needed for my back road adventures.

 I think I fit the unexpected ownership category of the bike, which is why it works for me.  Being ‘mature’ in my late 30’s, I also fit it’s hopeful vendor usage category as well – using it in the dry, servicing it regularly and not bothering the dealer if something minor is broken! 

Initially you’d be thinking this bike should sell to the youths with A2 licences, but it appears not.  Us ‘oldies’ will keep the miles down, ride in fair weather only and thus likely have less issues than juveniles who leave it outside and ride short journeys to the golden arches, on the limiter. 

 Did I mention it looks cool and everyone asks me about it?   I’m sure I did.

Friday 1 November 2013

Wow, has it been that long + basic WCCP

Its been over a year since I wrote the last blog update.  Where has the time gone.
 
Since then, life has been a little crazy.  A new job for starters.  I've learnt and experienced too much to list here - maybe one day, I'll get around to it.  But for now, I thought I'd drop a quick WCCP config in here to reference later.
 
The scenario is that guest wifi is being rolled out.  The guests are tunnelled into the DMZ and once there, they can access the internet.  The customer would like some relatively simple transparent proxy or filtering capability and so WCCP was common across both the layer 3 switch and proxy appliance.
 
I've cut and paste most of this from my own documentation, so apologies if its not 'blog friendly'.
 
__________________________________________________________________________________________________


What is all this about?

 

WCCP stands for Web Cache Communication Protocol.  It is a Cisco developed content-routing protocol that provides the mechanism to redirect traffic in real-time.  In RDaSH’s network environment, this is used to redirect Guest WiFi traffic to a proxy server – without the need to manually configure a proxy server in each device (practically impossible with Guest WiFi access).  The technology can work one of two ways; either redirecting using a GRE tunnel, or rewriting the MAC to that of the local engine (called Layer 2 redirect).

 

There are two versions of WCCP (v1 and v2 surprisingly).  Version 1 only supports HTTP (TCP port 80) traffic flows, whereas v2 supports up to 255 different service groups (such as HTTPs).  Version 2 should be used where possible.

 

Configuring a Cisco 3750x Layer 3 switch

 

Ip wccp version 2

Ip wccp web-cache password guest redirect-list 45 group-list 44

Ip wccp 70 password guest redirect-list 45 group-list 44

Ip wccp web-cache password guest

 

Here we are turning on WCCP and setting the version.  We then tell the device which ‘services’ to run with WCCP.  Normal port 80 traffic is called ‘web-cache’ so we define that.  We then define an additional service called ‘70’ which is actually an https-cache service.  We set the password to use with the WCCP service – this is defined on the proxy/filter as well, so they both have some relatively simple security.  The final parts are ‘redirect-list’ which references an ACL in order to match traffic we want re-directed. This is typically the client range.  The ‘group-list’ also references a different ACL, which is matching defined cache engines – or in our case, specifying the proxy/filter.

 

Int vlan666

Ip wccp web-cache redirect in

Ip wccp 70 redirect in

 

At this point we need to define the interface on which WCCP should begin to ‘redirect’ traffic that we’ve asked to be sent to a proxy.  Remembering that ‘inbound’ traffic is the direction specified, as in order to leave VLAN 666, traffic will be coming into its L3 interface before heading out to the internet.  We also define both services to redirect, that we configured earlier.

 

access-list 44 permit 192.168.144.4 0.0.0.0

access-list 44 remark **Sophos appliance for guest WCCP**

 

access-list 45 permit 192.168.145.0 0.0.0.127

access-list 45 remark **DHCP Guest WiFi range for WCCP**

 

The ACL’s as specified earlier contain the client range to redirect and the address of the appliance/cache engine.

 

Pitfalls

 

Unsuprisingly this solution did not work out of the box on the 3750x and hopefully these pointers may assist you.  I’m not laying the blame totally at Cisco’s door however, there was some Sophos research required as well.

 

SDM prefer

By default the 3750x uses ‘desktop default’ template.  In short, the Switch Database Management Template (SDM) doesn’t allocate resources under this default template to do any form of WCCP (it’s actually PBR via the TCAM which is responsible for WCCP).  Thus you need to change the template using ‘SDM prefer routing’.  This requires a switch reboot.

 

IP routing

Obviously make sure IP routing is enabled!

 

Re-direction method

The 3750x only supports L2 and not GRE – so make sure your appliance is set to L2.

 

Things in different subnets

I’d read that you need to have clients, cache servers etc in different subnets for WCCP re-direction to work – but this seems unfounded, at least when using L2 as the redirect and return method.  Maybe this is only evident when using GRE, which the 3750x doesn’t support, so I couldn’t test it anyway.

 

Fast Timers (Headache – take note)

In other words, keepalives – time interval.  The Sophos web appliance didn’t like this feature which I’m informed is standard on cisco firmware later than 2012 or WCCP v2 rev1.  There was no indication that this was to blame on the switch and no indication on the appliance either.

What you will see, is that traffic isn’t redirected.  Instead when issuing ‘show ip wccp’ Total packets Unassigned will increment.  Cisco documentation just states that this means the ‘cache engine’ can’t be contacted for whatever reason.  Not much to go on.

To fix the problem, you must issue the command (it’s a hidden command, so using ? won’t help) ‘no ip wccp variable-timers’.  As if by magic, it all works fine after that!  Maybe a Sophos related problem…. But there you go.

 

Further information

 
When viewing debugs on WCCP you will see a lot of packets sent with HIA and ISY I the description.  If you research these, you’ll see this is the fundamental way in which WCCP communications is established.  HIA = here I am & ISY = I see you.
Should the need arise to create/filter different WCCP service identifiers then use the table below.  YOU MUST also ensure that the filter/proxy/appliance is capable of reading these identifiers as well,  otherwise redirection will not
work.




Monday 13 August 2012

Cisco Smart Logging Telemetry (SLT) on a 3560G - Netflow Trial

A while ago, I researched the possibility of using/enabling Netflow on a couple of Cisco 3560G switches we'd purchased.  After much head scratching it was deemed you'd need IOS revision 12.2(58)SE to get any form of netflow - and its not even net flow. Hmmmm....

So... out of hours, I upgraded one of the switches to this new firmware to give it a go.
After a nervous wait for it to restart (Logging in remotely from home) I checked to see if the commands are available - which they were.
So off we go:
Create the exporter
flow exporter test-collector
 description "collection of data for the boss"
 destination 192.168.246.100

This creates an exporter profile in which I can describe what its for and where the data should go.

Then configure smartlog
Conf t
Logging smartlog
logging smartlog exporter test-collector
logging smartlog packet capture size 1024
We then need to give it something to report about.  As a test I created an ACL which permits everything:
access-list 97 permit any smartlog
and then assigned it to an inteface
interface GigabitEthernet0/3
 description Monitoring port for the boss

 ip access-group 97 in

And thats it - pretty easy to setup but to be honest its limitations are immediately visible when using Scrutinizer (or other net/s/flow related applications).  I've just shown you a test example of the ACL here - I amended it later to monitor a specific DENY on a particular protocol on a specific port.

This is netflow but with restrictions.  The data has to be event based and as such - you can view the data when an event has occurred - hence it has been logged.  That in itself limits what you can see.
Don't get me wrong, its far easier than trawling through syslog data and you can drill down into the raw data to at least see some of the packet, but other than assessing security concerns, I'm struggling to see how I'd use it.

In terms of satisfying the original request to view netflow data, I will put the question back to the originator with a politically cryptic hint of sarcasm.... "What netflow data????"

Thursday 19 July 2012

Netflow NoGo on a Cisco Catalyst 3560 switch

In our haste to purchase switches for an already over-run project, it would appear we overlooked the product features of the 3560G. 
I have been asked to enabled netflow on one of the two switches we use in a production environment, but after much head scratching - the 3560 doesn't support it.

Looking further into it, the whole 3000 series doesn't.  Unless you either buy the uplink 10G modules (but then I'm sure it'll only allow you to monitor uplinks) or use a trimmed down version of netflow exporting (appearinging in 12.2(58)SE) from a later revision firmware.  Of course, we are a few releases behind that - but I think it might be worth giving it a go anyway to try and satisfy the request.

So, its a netflow no go.  For now.

Wednesday 13 June 2012

IPSEC over GRE VPN? or maybe its the other way around...

Moan
Its been a while since I've sunk my teeth into something new.  I've had the time consuming tasks of updating CV's and interview skills, for the impending shake up of the organisation I work for.  CCNP study has taken a slight sidewards step (better than backwards) during recent weeks - but I've got a holiday booked shorty and there is no better way to learn than in the sun.

Problem
Anyway, we have the following situation:


Without concentrating on the lines and arrows, there are two sites depicted in the diagram.  The top one (the top blue oblong that covers the LAN and two routers) is what we'd call a hub site.  It is one of 5 sites that all connect together to form the core of the network.  As you can see with the 3 black lines coming from the Cisco 3745.
The other site (the bottom blue oblong) is what we call a remote site.  They typically connect back to their closest hub site, (based on legacy geographical cost) and we support about 60 of these remote sites - so the diagram is obviously cut down.
Both sites have an internet connection.  The router that manages the internet connection is controlled by a third party - so we have no access to it.  It has no firewall though, so we run CBAC on our routers.

The green lines at the remote site show traffic flow.  The 1841 makes the decision (based on static routes) which path to take based on the destination address.  If it is one of a pre-defined IP range for a website, then off it goes out of the local internet connection.  If it is an internal address (server, other remote site etc) then the packets are routed through the default route and back to the hub site via a 2mb serial connection - WHICH IS OVERSUBSCRIBED.

Question?
And thus a question has been asked:

"If the 2mb connection goes down (often), can there be a backup route using the internet connections?"

Also...

"Could the two routes be used in tandem to increase throughput?"

The diagram (if possible) might look like this:


Answer...
The answer is yes. To both questions.  Although I can't see this being implemented.

We already use GRE tunnels (see my previous posts) but that is internal.  With this setup, we'd need some form of encryption when tunnelling through the internet. 

I'll explain the tunnel setup first and just gloss over the other parts.  As I mentioned, this probably wont get implemented and its purely just answering the question to detail a business case to make it happen to then not make it happen.  Does that make sense?  No - thats politics for you.

On with the technical.

IPSEC over GRE/GRE over IPSEC...
Its one or the other, but I don't know/don't need to know which - google is your friend, if you're bothered.  Technically the tunnel would be accomplished using general routing encapsulation, but yet we'd run IPSEC to encrypt GRE packets.  But then, you need IPSEC to create the encryption to run GRE in the first place.  But you need the tunnel to then use the transport protection of IPSEC.  Chicken & Egg, I suppose.

I've configured the remote site router first:

!
crypto isakmp policy 10
  authentication pre-share
!
crypto isakmp key CISCO address 10.66.6.5
!


We define an ISAKMP policy (Good info about what this is and what it does is here) (and give it a priority number) and then instruct the policy to use pre-shared keys as the authentication method for this policy.  Two peers must have a common policy or they wont connect.
We then specify what the key will be, in this example CISCO is used - passwords and IP's are abviously made up for the purposes of this post! We also define the 'other end' I.P address with whom the key exchange will take place.

!
crypto ipsec transform-set Transformers esp-3des esp-sha-hmac
  mode transport
!
crypto ipsec profile MyProfile
  set transform-set Transformers
!


Transform sets are then used (in this case we called ours transformers) to detail what encryption and authentication methods are used for the ESP protocol (Encapsulating security payload) which is what establishes the IPsec tunnel encryption and authentication between the peers.  They must be the same at both ends or the IPSEC tunnel will not form.
The ipsec profile defines the parameters to be used between the two routers which we will reference in the tunnel protection command later.  It references the previously created transform set - You might find this confusing, but remember you can use different transform sets with different profiles and even both of them can be referenced with different ISAKMP policies!  As our example is using a simple point to point, some commands can seem overkill, but they are necessary.

!
interface Tunnel1
  ip address 12.0.0.2 255.255.255.252
  tunnel source 10.99.9.1
  tunnel destination 10.66.6.5
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile MyProfile!

!
And here we have one end of the tunnel.  This one is referenced locally as 'tunnel1'.
The ip address is a completely private range and we've assigned a subnet mask so that only the two peers are useable.
The tunnel source is the interface IP for the interface you want to create the tunnel on.  Similarly the destination is the interface IP of where the end of the tunnel should be.
Rather than using GRE, we specify the tunnel mode to be ipsec ipv4 and then introduce the tunnel protection command to reference the ipsec profile - which in turn references the transform set with encryption and authentication information.

Thats pretty much it.  That creates one end of the tunnel on the remote site router and the process of creating the other end is just a reversal of the IP addresses used above - oh, and the ip address of the tunnel being the other useable one in that subnet!

We configured the above in a test environment and guess what?  It didnt work.

Why it didn't work
I mentioned earlier that we use CBAC (or ip inspect as its referenced) and thus inbound access lists prevent any nasties from the internet making their way into the corporate network.  We had to add a couple of earlier sequence numbers to an extended access list to ensure that both UDP and ESP were permitted from the respective peers.

Like so:

!
ip access-list extended INBOUND
  8 permit udp host 10.66.6.5 eq 500 host 10.99.9.1 eq 500
  9 permit esp host 10.66.6.5 host 10.99.9.1

!

Remember that because the list is INBOUND and applied with the IN statement, the source and destination fields of the ACL must reflect the peer at the other end.  I'm only making this point because I'm used to amending ACL's for outbound access and thus I did it wrong.
Default keepalives were at 10, so we thought we'd adjust them to 5, but its user preference and not the reason why it didn't work.
Be aware:
Show int tun1 - should tell you if both the interface and protocols are up.  Check the logs too, to ensure the tunnels are passing the authentication and encryption stages of the exchange.  Ping the private addresses from each device to ensure connectivity is established.  If you add static routes to test end to end Ip ranges, then ensure you specificy the source interfaces when trace routing or pinging.
Using it as a backup route - question 1
So the question was asked about using the tunnel as a backup.  Given the 2mb serial is referenced with a: ip route 0.0.0.0/0 then we can simply add another static route but with a higher cost, to form a 'floating' static.
Load balancing - question 2
I didn't look into this option (I know, I know) but its simply because I can't replicate it in a lab environment.  BUT... because we use RIPv2 then technically the tunnel would have to have the same hop count to reach the subnets in question as it would using the 2mb circuit.  If so, then by default the Cisco router would load balance with 2 entries in the routing table.  See my earlier posts about process and packet switching to understand how this load balancing would occurr.  It would likely be load balanced per destination and not per packet - even so, with the 2mb serial connection saturated, a little breathing space would be created if only temporarily!

Hope it helps you if you need to create a point to point tunnel - securely.